Kubernetes changing ownership of the volume parent directory

Question

I am running a non root K8s pod, which is using a PV and the following security context

# security context
  securityContext:
    runAsUser: 1000
    runAsGroup: 2000
    fsGroup: 2000
    fsGroupChangePolicy: "OnRootMismatch"
# volume
      volumeMounts:
        - name: app
          mountPath: /home/user/app

The files and folders created inside the volume are indeed owned by 1000 and 2000

-rw-r--r-- 1 1000 2000   2113 Jun  7 12:34 README.md
-rw-r--r-- 1 1000 2000   1001 Jun  7 12:34 package.json

but the parent directory /app is owned by root instead of UID 1000

drwxrwxrwx 5    0    0  8 Jun  7 12:34 app

I tried creating the app folder beforehand with the right ownership and permissions, but it's getting overridden, as the volume is created by the K8s csi.

Actually in the documentation stated, that the parent directory should also be owned by the GID 2000

The owner for volume /data/demo and any files created in that volume will be Group ID 2000.

How can i force Kubernetes to respect the ownership of the parent directory? Is that handled by the CSI?

I am using Rook as storage class.

score 0 · Answer 1 · answered Jun 07 '22 at 18:05

When mounting volumes the pre-existing files and directories will be overwritten by the CSI.

I'm not sure where the permissions on the mounted directories are coming from; my guess is that it's simply the UID of the FS provisioner, but this is pure speculation on my part.

Perhaps a solution is to provision the directories you want yourself; you could use an initcontainer with the same securityContext setting it up, or add some code to check for and conditionally provision the directory in the main pod.

Kubernetes changing ownership of the volume parent directory

1 Answers1